A Response to the Smart City Technical Vulnerability Report

August 20, 2018

Smart City Concept from 'How to Outsmart the Smart City'

On August 9th 2018, during the major Security conference Black Hat, security researchers from IBM and Threatcare announced major technical vulnerabilities in a variety of Smart City technology. The Smart City technology in focus ranged from Industrial IoT (things like smart meters or substation components for the electric grid) to transportation system controllers. Author Jason Murdock brought some of these vulnerabilities to life in his Newsweek article ‘Supervillain-Level’ Cyberattack Test on Cities Uncovers Shocking Flaws.

While it’s important to have an open conversation about the extent of the vulnerabilities of urban critical infrastructure, these security challenges are nothing new. In fact, there have been several reports by Thibodeaux, Cerrudo and others detailing these issues in previous years. One consideration that is often omitted from these reports is the considerable human attack surface for smart cities. These technical vulnerabilities are not exceedingly difficult to exploit by sophisticated hackers – but hackers generally like to take the path of least resistance. Urban critical infrastructure that is networked is accessible to large citizen populations via mobile applications. Citizens are not all security-savvy and social engineering attacks against them is likely an easy target. A hacker gaining access to a citizen’s account and then escalating privilege in the urban critical infrastructure is an attractive scenario for an adversary.

Defensive Social Engineering (DSE) tools discussed on our blog such as Cyber Negotiation should be employed to help defend against these future smart city attacks. Others have recently discussed the merit of “hacking back” to deal with such cyberattacks. Our stance on this is that hacking back will just escalate the situation. Instead, a better strategy is to leverage the DSE tool of posturing by publically announcing that you will hack back so that hackers take note and instead target a different organization’s assets.

While it’s interesting to hear about all of the technical vulnerabilities in the equipment, we need to remember that these vulnerabilities likely pale in comparison to the social attacks that will be waged against our urban critical infrastructure as they are increasingly digitized.

MIT Cybersecurity Clinic

The new MIT Cybersecurity Clinic (11.274 and 11.074) will be offered in both the fall and spring semester at MIT.

The Cybersecurity Clinic will consist of four-modules : Cybersecurity for Critical Urban Infrastructure: Understanding the Problem; How the MIT Cybersecurity Clinic Makes Initial Contact with potential Client Agencies; Onsite Assessment of Cybersecurity Vulnerability by MIT Clinic Staff; and Prepare and Submit a Final Cybersecurity Vulnerability Assessment to a Client Agency. MIT students who want to take on field assignments with the Cybersecurity Clinic (for academic credit) must pass the certification examination offered at the end of the fourth module.

Students who have achieved certification, will work in teams supervised by advanced doctoral and post-doctoral students during the last nine weeks of the spring semester to collaborate with an assigned client agency to prepare a Cyberattack Vulnerability Assessment for a client agency.

Social Cyberdefense of Critical Urban Infrastructure

MIT Cybersecurity Clinic

Who We ARe

Resources

About this Blog

Recent Blogs